cbcvebase.
CVE-2025-39703
published 2025-09-05

CVE-2025-39703: In the Linux kernel, the following vulnerability has been resolved: net, hsr: reject HSR frame if skb can't hold tag Receiving HSR frame with insufficient…

medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
In the Linux kernel, the following vulnerability has been resolved: net, hsr: reject HSR frame if skb can't hold tag Receiving HSR frame with insufficient space to hold HSR tag in the skb can result in a crash (kernel BUG): [ 45.390915] skbuff: skb_under_panic: text:ffffffff86f32cac len:26 put:14 head:ffff888042418000 data:ffff888042417ff4 tail:0xe end:0x180 dev:bridge_slave_1 [ 45.392559] ------------[ cut here ]------------ [ 45.392912] kernel BUG at net/core/skbuff.c:211! [ 45.393276] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 45.393809] CPU: 1 UID: 0 PID: 2496 Comm: reproducer Not tainted 6.15.0 #12 PREEMPT(undef) [ 45.394433] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 45.395273] RIP: 0010:skb_panic+0x15b/0x1d0 [ 45.402911] Call Trace: [ 45.403105] [ 45.404470] skb_push+0xcd/0xf0 [ 45.404726] br_dev_queue_push_xmit+0x7c/0x6c0 [ 45.406513] br_forward_finish+0x128/0x260 [ 45.408483] __br_forward+0x42d/0x590 [ 45.409464] maybe_deliver+0x2eb/0x420 [ 45.409763] br_flood+0x174/0x4a0 [ 45.410030] br_handle_frame_finish+0xc7c/0x1bc0 [ 45.411618] br_handle_frame+0xac3/0x1230 [ 45.413674] __netif_receive_skb_core.constprop.0+0x808/0x3df0 [ 45.422966] __netif_receive_skb_one_core+0xb4/0x1f0 [ 45.424478] __netif_receive_skb+0x22/0x170 [ 45.424806] process_backlog+0x242/0x6d0 [ 45.425116] __napi_poll+0xbb/0x630 [ 45.425394] net_rx_action+0x4d1/0xcc0 [ 45.427613] handle_softirqs+0x1a4/0x580 [ 45.427926] do_softirq+0x74/0x90 [ 45.428196] This issue was found by syzkaller. The panic happens in br_dev_queue_push_xmit() once it receives a corrupted skb with ETH header already pushed in linear data. When it attempts the skb_push() call, there's not enough headroom and skb_push() panics. The corrupted skb is put on the queue by HSR layer, which makes a sequence of unintended transformations when it receives a specific corrupted HSR frame (with incomplete TAG). Fix it by droppi

Affected

41 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debianlinux< linux 6.1.153-1 (bookworm)linux 6.1.153-1 (bookworm)
debianlinux-6.1< linux 6.1.153-1 (bookworm)linux 6.1.153-1 (bookworm)
linuxlinux
linuxlinux
linuxlinux>= 48b491a5cc74333c4a6a82fe21cea42c055a3b0b < 3ae272ab523dd6bdc26e879027ed79feac9dd1b33ae272ab523dd6bdc26e879027ed79feac9dd1b3
linuxlinux>= 48b491a5cc74333c4a6a82fe21cea42c055a3b0b < b640188b8a6690e685939053c7efdbc7818b5f4eb640188b8a6690e685939053c7efdbc7818b5f4e
linuxlinux>= 48b491a5cc74333c4a6a82fe21cea42c055a3b0b < b117c41b00902c1a7e24347c405cb82504aeae0bb117c41b00902c1a7e24347c405cb82504aeae0b
linuxlinux>= 48b491a5cc74333c4a6a82fe21cea42c055a3b0b < acd69b597bd3f76d3b3d322b84082226c00eeaa4acd69b597bd3f76d3b3d322b84082226c00eeaa4
linuxlinux>= 48b491a5cc74333c4a6a82fe21cea42c055a3b0b < 61009439e4bd8d74e705ee15940760321be91d8a61009439e4bd8d74e705ee15940760321be91d8a
linuxlinux>= 48b491a5cc74333c4a6a82fe21cea42c055a3b0b < 7af76e9d18a9fd6f8611b3313c86c190f9b6a5a77af76e9d18a9fd6f8611b3313c86c190f9b6a5a7
linuxlinux>= 5.10.42 < 5.10.2415.10.241
linuxlinux>= 5.12.9 < 5.135.13
linuxlinux>= f6442ee08fe66c8e45c4f246531a2aaf4f17a7a7 < 8d9bc4a375a1ba05f7dfa0407de8e510ab9bd14d8d9bc4a375a1ba05f7dfa0407de8e510ab9bd14d
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel>= 0 < 5.10.244-15.10.244-1
linuxlinux_kernel>= 0 < 6.1.153-16.1.153-1
linuxlinux_kernel>= 0 < 6.12.48-16.12.48-1
linuxlinux_kernel>= 0 < 6.16.5-16.16.5-1
linuxlinux_kernel>= 0 < 5.15.0-163.1735.15.0-163.173
linuxlinux_kernel>= 0 < 6.8.0-100.1006.8.0-100.100
linuxlinux_kernel>= 5.10.42 < 5.10.2415.10.241
linuxlinux_kernel>= 5.12.9 < 5.135.13
linuxlinux_kernel>= 5.13.1 < 5.15.1905.15.190

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM